What is wrong with shaming when it's warranted?

Plain text passwords, seriously. At that point, I'm not sure what would be a similarity with any other engineering profession. The plain text passwords are beyond any rhyme or reason... and then returned to the end user client. If anything, I'd consider it malicious negligence - in the EU the leak would be a GDPR issue as well.

The issue is it is often impossible to distinguish from a white hat or a black hat hacking your live systems. It can trigger expensive incident response and be disruptive to the business. Ethically, I think it crosses a line when you are wasting resources like this, live hacking systems. There is usually a pretty clear and obvious point where you can stop, not trigger IR, and notify the companies. Not saying that was the case here, but I have been doing cybersecurity assessment work for 17+ years. Even when you have permission sometimes the juice isn't worth the squeeze to keep going as you often have proven the thing you needed to or found the critical defect. There is a balance to whtie hat activities and using good sense to not waste resources.

Everybody has that goal until they get a knock on their door at 6am: https://github.com/disclose/research-threats

From one Paul to another, best of luck! For the goal of improving overall web security, widespread shame doesn't work. My hunch is that we need to be more prideful about having verifiably robust security practices. Kind of like getting corporations to realize that the data is more valuable if you can prove that nobody can breach it.

Either way it is a fascinating write-up. It will hopefully be a cautionary tale for other businesses and companies out there, and will inspire them to lockdown this credentialing issue. I've noticed a similar blasé attitude when implementing SSO; the devil is in the details as they say.

Does this bug work across all applications that use Firebase? Or just those that didn't push the update with security?

I salute you for it. Take caution though.

The bad guys don't play by the rules so the rules only hinder the good guys from helping. I think Internet security would be in a better position if we had legislation to protect good samaritan pentesters. Even moreso if they were appropriately rewarded.

Weird, I don't feel nearly as touchy about some ones and zeros on a computer as I do my physical body's safety, without which I would not exist.

If I owned a bunch of vending machines, and someone came to me and said "Hey, I found out that if you put a credit card in the dollar bill slot, it gives out free soda and empties all its coins through the return slot," I would a.) be pleased to have been informed and b.) not be upset that they did this.

If a neighbor came to me and said, "Hey, your mailbox that's located at the end of your long dirt driveway is protected by a wafer lock that can be opened by simply slapping the side of the mailbox in a funny way," I would maybe wonder why they were slapping my mailbox but I would be grateful that they told me and I would want them to continue doing whatever weird shit they were doing (so long as it wasn't causing damage).

When you put property in a public (or practically public) space, there's an expectation that it will not be treated as though it is on private property. There's a big difference between someone jiggling the door to your home (where you physically reside) and jiggling the lock on a mall gumball machine or the handle on a commercial fire exit.

Would you drive over a group of people with a bus? Would you do it in GTA?

There is a big difference between the digital world and the physical one. Many actions e.g stealing are very different in these 2 worlds and have very different implications.

Communes exist. The internet is supposed to be a giant commune of researchers watching each others backs.

There's a huge fucking difference between "yo, the neighbourhood and country is unsafe and there is no strongly upheld norm here of people not seeing if they can enter someone else's house if their door is easily unlockable. You must be new here since I noticed your door is pretty insecure, I recommend you do x,y and z if you are to live here safely. Take care." Versus "yo, I just entered your home and snooped around since it was easy to lockpick. There are actually strong norms here of people not doing this so I know this is quite the social violation and something like this had a very low probability of happening otherwise but, you know, your door is weak so it was my right to enter. You should fix it btw"

The internet is like the former not the latter and taking a moral high ground stance that it just should be otherwise is just screaming underwater while doing nothing to actually protect yourself from an actual real threat.

I'd be very thankful if I moved to some place I'm unfamiliar with where people lockpicking is just a cultural norm and someone warned me I should get a better door.

In the American case, the interpretation of the CFAA under Van Buren (2021) would provide at least the defense that one does not violate the law if there is no meaningful authorization scheme in place to determine what constitutes "exceeds authorized access". This may sound pedantic but when reporting on the decision much of the non-specialist media seemed to have failed to appreciate that in order to determine what conduct exceeds authorized access, it's necessary to be able to determine where authorized access starts and ends in every case as a factual matter, and the courts essentially threw out the theory that one can simply use a non-technological solution (like a very broad ToS) as a backstop and require some sort of notice and specificity. I don't think the mere fact that such a technological scheme can be erected is relevant since in theory you can put in some sort of basic authorization scheme - including basic HTTP authorization - around pretty much anything accessible via the protocol, but anything beyond a showing of actually putting such an authorization scheme in place, there's no real way to determine the unimplemented intent of some company in a way with any certainty. It's Orin Kerr's "gate-up-gate-down" theory - you need to have a gate in place to start with, instead of just a space where a gate can go or the assumption where a gate should be to figure out whether the gate is up or down, and without that determination one cannot meet all of the elements required to prove a violation of the statute.

I wouldn't even consider this "hacking" really. If prosecuted a defense attorney familiar with both the technology and the admitted niche area of computer crime law can readily conduct some very effective cross-examination against whoever the state is bringing out as a witness. The government does frequently rely on the lack of tech-competent and accessible counsel as a way to exert coercion (and usually resulting in a plea), and it doesn't help that the layperson has a very difficult time figuring out what qualities constitute competency when looking for attorneys (hence the enduring popularity of jingles since being memorable is frequently mistaken for being competent), but they are out there.

You could ostensibly make a great tool from this data for those seeking employment....

Make a tool which will look at the list of all the franchises within radius of person, and have it auto submit applications to all of them simultaneously...

Are you not concerned with the CFAA?

I'm on Edge 120 (released a month ago) and can't see it

iphones are the scariest device to do anything important on.

I had a moment of total freakout when I realized the person across from me at lunch had an iPhone on the table. Actually he had an Android, and we continued talking like no big deal.

To be clear, we were talking about a 10-100M dollar problem, this wasnt small potatoes.

Too many exploits, I can't imagine having anything of value on an iphone.